PluginCheck.Security.DirectDB.UnescapedDBParameter

Database parameter is not escaped

A value is passed into database-related code without escaping, preparation, or strict allowlisting.

critical weight

Why It Shows Up

Plugin Check found a database parameter that appears to come from dynamic input without the usual `$wpdb->prepare()` protection.

Why It Matters

Database parameters often influence queries directly. Unsafe values can corrupt data access or create SQL injection risk.

How to Fix

  • Use `$wpdb->prepare()` for values.
  • Use explicit allowlists for table names, column names, order fields, and directions.
  • Sanitize and validate request data before it reaches query construction.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2401Helpful – Article Feedback Plugin86817600Database parameter is not escaped
#2402FormsCRM – Connect Forms to CRM directly86581k+Missing direct file access protection
#2403Mailchimp List Subscribe Form862215660k+Non-prefixed global variable
#2404Modern Cart – WooCommerce Side Cart & Popup Cart8689550k+Non-prefixed global variable
#2405Pofily – WooCommerce Product Filters861322600Non-prefixed global variable
#2406ShopBuilder – WooCommerce Builder For Elementor86941410k+Non-prefixed global variable
#2407Ultimate Markdown – Markdown Editor, Importer, & Exporter866151k+Database parameter is not escaped
#2408WPUpper Share Buttons864744k+Dynamic hook name
#2409Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance871810k+Database parameter is not escaped
#2410CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice)8712911m+Non-prefixed global variable
#2411Autolinks Manager – SEO Auto Linker877161k+Database parameter is not escaped
#2412Daisycon prijsvergelijkers873374400Missing Version
#2413Enable Abilities for MCP87481k+Direct Query
#2414I Recommend This – Love/Like Button for WordPress Posts873495k+Direct Query
#2415Image Optimizer – Optimize Images and Convert to WebP or AVIF8714241m+Missing Translators Comment
#2416iPanorama 360 – Advanced Virtual Tour Builder87726345k+Text Domain Mismatch
#2417Bulk Page Generator and Mass Page Builder – Page Generator8726874k+Non-prefixed global variable
#2418ParcelWILL (Formerly ParcelPanel) – Shipment Tracking, Tracking & Order Tracking for WooCommerce876817k+Non-prefixed global variable
#2419Recently Viewed Products for WooCommerce – Carousel, Widget, Block & Email872181k+Database parameter is not escaped
#2420WP Auto Updater875197k+Database parameter is not escaped
#2421Hindi-To-Lat88314400Direct Query
#2422Import Markdown – Versatile Markdown Importer882592k+Missing Arg Domain
#2423WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager8827333m+wp function not compatible with requires wp
#2424Live News – Responsive News Ticker88992k+Database parameter is not escaped
#2425Skydropx88491k+Non-prefixed global variable
#2426Ukr-To-Lat883136k+Direct Query
#2427AI Content Creator – Easy ChatGPT powered article generator891533500Non-prefixed global variable
#2428Archivarix External Images Importer898351k+Non-prefixed global variable
#2429Location Add-on For Gravity Forms891816400Text Domain Mismatch
#2430Light Views Counter – Fast, Scalable View Counter for High-Traffic Sites892112k+Database parameter is not escaped
#2431Real Custom Post Order: Create a custom order for your content891198k+Non-prefixed global variable
#2432Taxonomy Metadata89494k+Direct Query
#2433WP-Memory-Usage894910k+Interpolated SQL is not prepared
#2434aThemes Addons for Elementor9013968k+Non-prefixed global variable
#2435Outrank90141k+Database parameter is not escaped
#2436Payment Forms for Paystack90494233k+Text Domain Mismatch
#2437Power Coupons for WooCommerce9069120k+Non-prefixed global variable
#2438WP All Export – Product Export Add-On for WooCommerce90142610k+Non-prefixed hook name
#2439TMDS – Dropshipping for TEMU and Woo901110500Non-prefixed global variable
#2440WPML to Polylang901456k+Direct Query
#2441AAA Option Optimizer91179k+Database parameter is not escaped
#2442Cloudways Site Manager9114720k+wp function not compatible with requires wp
#2443Slim SEO – A Fast & Automated SEO Plugin For WordPress913960k+Database parameter is not escaped
#2444eMagicOne Store Manager for WooCommerce91619500Non-prefixed class
#2445WCFM – Multivendor Marketplace REST API for WooCommerce915341k+Non-prefixed hook name
#2446WowShipping – Weight Based Table Rate Shipping with Live Rates for UPS, USPS, DHL912618500Text Domain Mismatch
#2447WPBulky – WordPress Bulk Edit Post Types91118400Database parameter is not escaped
#2448MB Relationships92281k+Non-prefixed class
#2449N-Genius Online by Network922381k+Non-prefixed class
#2450Easy Demo Importer – A Modern One-Click Demo Import Solution932492k+Non-prefixed hook name